In the evaluation of the randomness of an S-box, measures of resistance to higher order cryptanalysis, interpolation cryptanalysis, partitioning cryptanalysis and differential-linear cryptanalysis and necessary conditions for those measures to have resistance to each cryptanalysis are set, then for functions as candidates for the S-box, it is evaluated whether one or all of the conditions are satisfied, and those of the candidate functions for which one or all of the conditions are satisfied are selected as required. It is also possible to further evaluate the resistance of such selected functions to at least one of differential cryptanalysis and linear cryptanalysis and select those of the candidate functions which are resistant to at least one of the cryptanalyses as required.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A random function generating apparatus for a data encryption device comprising: input means for inputting digital signals representing parameter values of each of a plurality of functions each of a composite function composed of first and second functions of different algebraic structures, and for storing them in storage means; candidate function generating means for generating candidate functions each of said composite function formed of said first and second functions of different algebraic structures based on said plurality of parameters read out of the storage means; resistance evaluating means for evaluating the resistance of each of said candidate functions to a cryptanalysis; and selecting means for selecting those of said resistance-evaluated candidate functions which are highly resistant to said cryptanalysis and outputting digital signals representing selected ones of said resistance-evaluated candidate functions; wherein one of said first and second functions of different algebraic structures is resistant to each of differential cryptanalysis and linear cryptanalysis, wherein said input means is adapted to input digital signals representing input difference values Δx and output mask values Γy and storing them in the storage means, and said resistance evaluating means comprises at least one of: higher-order-differential cryptanalysis resistance evaluating means for: calculating a minimum value of the degree of a Boolean polynomial for input bits by which output bits of each of said candidate functions are expressed; and evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; interpolation-cryptanalysis resistance evaluating means for: expressing an output value y as y=f k (x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; and evaluating the resistance of said each candidate function to interpolation cryptanalysis based on the result of said number; partitioning-cryptanalysis resistance evaluating means for: dividing all input values of the function to be evaluated and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationships between the input subset and the output subset with respect to their average corresponding relationship; and evaluating the resistance of said candidate function to partitioning cryptanalysis based on the result of said calculation; and differential-linear cryptanalysis resistance evaluating means for: calculating, for every set of input difference value Δx and output mask value Γy of the function S(x) to be evaluated a number of input values x for which the inner product of (S(x)+S(x+Δx)) and said output mask value Γy is 1; and evaluating the resistance of said candidate function to differential-linear cryptanalysis based on the result of said calculation.
2. A random function generating method for data encryption comprising the steps of: (o) inputting digital signals representing input difference values Δx, output mask values Γy and parameter values of each of a plurality of candidate functions and storing them in storage means; (a) setting various input values read out of the storage means for each of candidate functions S(x) of S-box and calculating output values corresponding to said various input values x; (b) storing the output values in storage means; and (c) evaluating the resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis; and wherein said step (c) comprising: (c-1) a higher-order cryptanalysis resistance evaluating step of: calculating a minimum value of the degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed; evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others; (c-2) a differential-linear cryptanalysis resistance evaluating step of: calculating, for every set of input difference value Δx and output mask value Γy of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+Δx)) and said output mask value Γy is 1; evaluating resistance of said candidate function to differential-linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others; (c-3) a partitioning-cryptanalysis resistance evaluating step of: dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationship between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of: expressing an output value y as y=f k (x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said candidate function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others; wherein said candidate functions are each a composite function composed of first and second functions of different algebraic structures, at least one of said first and second functions being resistant to said differential cryptanalysis and said linear cryptanalysis.
4. The random function generating method of claim 3 , wherein said candidate functions are each a composite function composed of at least one function resistant to said differential cryptanalysis and said linear cryptanalysis and at least one function of an algebraic structure different from that of said at least one function.
5. The random function generating method of claim 2 or 3 , wherein: said step (c-1) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said first reference by a first predetermined width, and executing again the evaluation and selecting process; said step (c-2) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said second reference by a second predetermined width, and executing again the evaluation and selecting process; said step (c-3) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said third reference by a third predetermined width, and executing again the evaluation and selecting process; and said step (c-4) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fourth reference by a fourth predetermined width, and executing again the evaluation and selecting process.
6. The random function generating method of claim 5 , wherein said candidate functions are each a composite function composed of at least one function resistant to said differential cryptanalysis and said linear cryptanalysis and at least one function of an algebraic structure different from that of said at least one function.
7. The random function generating method of claim 2 or 3 , further comprising: (c-5) a differential-cryptanalysis resistance evaluating step of: calculating, for each candidate function S(x), the number of inputs x that satisfy S(x)+S(x+Δx)=Δy for every set (Δx, Δy) except Δx=0; evaluating the resistance of said each candidate function to differential cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined fifth reference and discarding the others before said step (c-2); and (c-6) a linear-cryptanalysis resistance evaluating step of: calculating, for each candidate function, the number of input values x for which the inner product of the input value x and its mask value Γx is equal to the inner product of a function output value S(x) and its mask value Γy; evaluating the resistance of said each candidate function to linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined sixth reference and discarding the others after said step (c-5).
8. The random function generating method of claim 7 , wherein: said step (c-5) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fifth reference by a fifth predetermined width, and executing again the evaluation and selecting process; and said step (c-6) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said sixth reference by a sixth predetermined width, and executing again the evaluation and selecting process.
9. A recording medium having recorded thereon a random function generating method for data encryption as a computer program, said program comprising the steps of: (a) setting various values as each parameter for candidate functions S(x) and calculating output values corresponding to various input values; (b) storing the output values in storage means; and (c) evaluating resistance of each of said candidate functions to a cryptanalysis based on the output values stored in said storage means, and selectively outputting candidate function highly resistant to said cryptanalysis; and wherein said step (c) comprises: (c-1) a higher-order cryptanalysis resistance evaluating step of calculating a minimum value of the degree of a Boolean polynomial for input bits of each of said candidate functions by which its output bits are expressed, evaluating the resistance of said each candidate function to higher order cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined first reference and discarding the others; (c-2) a differential-linear cryptanalysis resistance evaluating step of: calculating, for every set of input difference value Δx and output mask value Γy of each candidate function S(x), a number of input values x for which the inner product of (S(x)+S(x+Δx)) and said output mask value Γy is 1; evaluating resistance of said candidate function to differential-linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined second reference and discarding the others; (c-3) a partitioning-cryptanalysis resistance evaluating step of: dividing all input values of each candidate function and the corresponding output values into input subsets and output subsets; calculating an imbalance of the relationship between the input subset and the output subset with respect to their average corresponding relationship; evaluating the resistance of said each candidate function to said partitioning cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined third reference and discarding the others; and (c-4) an interpolation-cryptanalysis resistance evaluating step of: expressing an output value y as y=f k (x) for an input value x and a fixed key k using a polynomial over Galois field which is composed of elements equal to a prime p or a power of said prime p; counting a number of terms of said polynomial; evaluating the resistance of said candidate function to interpolation cryptanalysis; and leaving those of said candidate functions whose resistance is higher than a predetermined fourth reference and discarding the others; wherein said candidate functions are each a composite function composed of first and second functions of different algebraic structures, at least one of said first and second function being resistant to said differential cryptanalysis and said linear cryptanalysis.
11. The recording medium of claim 10 , wherein said candidate functions are each a composite function composed of at least one function resistant to said differential cryptanalysis and said linear cryptanalysis and at least one function of an algebraic structure different from that of said at least one function.
12. The recording medium of claim 9 or 10 , wherein: said step (c-1) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said first reference by a first predetermined width, and executing again the evaluation and selecting process; said step (c-2) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said second reference by a second predetermined width, and executing again the evaluation and selecting process; said step (c-3) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said third reference by a third predetermined width, and executing again the evaluation and selecting process; and said step (c-4) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fourth reference by a fourth predetermined width, and executing again the evaluation and selecting process.
13. The recording medium of 12 , wherein said candidate functions are each a composite function composed of at least one function resistant to said differential cryptanalysis and said linear cryptanalysis and at least one function of an algebraic structure different from that of said at least one function.
14. The recording medium of claim 9 or 10 , wherein said program includes at least one of: (c-5) a differential-cryptanalysis resistance evaluating step of: calculating, for each candidate function S(x), the number of inputs x that satisfy S(x)+S(x+Δx)=Δy for every set (Δx, Δy) except Δx=0; evaluating the resistance of said each candidate function to differential cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined fifth reference and discarding the others before said step (c-2); and (c-6) a linear-cryptanalysis resistance evaluating step of: calculating, for each candidate function, the number of input values x for which the inner product of the input value x and its mask value Γx is equal to the inner product of a function output value S(x) and its mask value Γy; evaluating the resistance of said each candidate function to linear cryptanalysis based on the result of said calculation; and leaving those of said candidate functions whose resistance is higher than a predetermined sixth reference and discarding the others after step (c-5).
15. The recording medium of claim 14 , wherein: said step (c-5) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said fifth reference by a fifth predetermined width, and executing again the evaluation and selecting process; and said step (c-6) includes a step of: when no candidate function remains undiscarded, easing the candidate function selecting condition by changing said sixth reference by a sixth predetermined width, and executing again the evaluation and selecting process.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
June 1, 1999
March 6, 2007
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.